Re: This is an advanced question for networking/proxy WIZARDS..

[EricLaw]

This is an easy question. :-)

 

To determine what sort of proxy authentication an upstream proxy is offering to use, simply run Fiddler and look at the Proxy-Authenticate response header coming from the upstream proxy. Alternatively, look at the Proxy-Authorization request header from the client to see what sort of authentication the client ultimately suggests.

 

Generally speaking, Windows itself does not store (in the registry or elsewhere) information about what sort of proxy authorization is in use. Instead, it simply waits for a Proxy-Authenticate challenge and takes it from there.

[btemtd]

Thank u so so so much for ur help since i am new to fiddler is a way u can guide me or show me a screenshot of this example showing the authentication scheme.
Does this have to be run from the customers computer and do they need admin rights. If so i will need to guide them through the steps i hope its a simple process

[EricLaw]

Yes, this must be run on the customer's computer.

Open Fiddler.

Use the browser or application to visit some site that requires proxy authentication.

In Fiddler, double-click on one of the lines with a 407 in the Result column. The Inspectors tab will open. In the bottom pane, click the Headers tab. Look for the Proxy-Authenticate header in the list on that tab.

[btemtd]

Ok i am at work and we have a proxy now it comes back as showing

Proxy-authenticate: NTLM

Proxy-authenticate: kerberos

Proxy authenticate: negotiate

Proxy support: session- based -authentication

I think we have a weird proxy setup here but would u be abke to tell me what this means

[btemtd]

How is it possible to have 3 authentication schemes and why

[btemtd]

Wait a minute i just clicked on another 407 line and this time it shows negotiate only .

Could u explain why 2 different 407 lines for the same site showed different schemee

[btemtd]

Ok let me show you exactly what I mean.

 The first 407 line thats shows when I go to a specific site shows this:

Proxy-Authenticate Header is present: Negotiate

Proxy-Authenticate Header is present: Kerberos

Proxy-Authenticate Header is present: NTLM

No WWW-Authenticate Header is present.

 

Then If i click the second 407 line directly under it , it shows this:

Proxy-Authenticate Header is present: Negotiate

4E 54 4C 4D 53 53 50 00 02 00 00 00 08 00 08 00 NTLMSSP.........

38 00 00 00 05 82 89 A2 82 DD CC 46 DF 06 B4 DF 8....‚‰¢‚ÝÌFß.´ß

00 00 00 00 00 00 00 00 C4 00 C4 00 40 00 00 00 ........Ä.Ä.@...

06 01 B1 1D 00 00 00 0F 44 00 43 00 30 00 31 00 ..±.....D.C.0.1.

02 00 08 00 44 00 43 00 30 00 31 00 01 00 1A 00 ....D.C.0.1.....

41 00 55 00 53 00 4E 00 52 00 59 00 2D 00 34 00 A.U.S.N.R.Y.-.4.

46 00 52 00 4F 00 4E 00 54 00 04 00 24 00 64 00 F.R.O.N.T...$.d.

63 00 30 00 31 00 2E 00 66 00 75 00 6A 00 69 00 c.0.1...f.u.j.i.

78 00 65 00 72 00 6F 00 78 00 2E 00 6E 00 65 00 x.e.r.o.x...n.e.

74 00 03 00 40 00 61 00 75 00 73 00 6E 00 72 00 t...@.a.u.s.n.r.

79 00 2D 00 34 00 66 00 72 00 6F 00 6E 00 74 00 y.-.4.f.r.o.n.t.

2E 00 64 00 63 00 30 00 31 00 2E 00 66 00 75 00 ..d.c.0.1...f.u.

6A 00 69 00 78 00 65 00 72 00 6F 00 78 00 2E 00 j.i.x.e.r.o.x...

6E 00 65 00 74 00 05 00 1A 00 66 00 75 00 6A 00 n.e.t.....f.u.j.

69 00 78 00 65 00 72 00 6F 00 78 00 2E 00 6E 00 i.x.e.r.o.x...n.

65 00 74 00 07 00 08 00 70 74 21 29 49 36 CE 01 e.t.....pt!)I6Î.

00 00 00 00 ....

 

-[NTLM Type2: Challenge]------------------------------

Provider: NTLMSSP

Type: 2

OS Version: 6.1:7601

Flags: 0xa2898205

Unicode supported in security buffer.

Request server's authentication realm included in Type2 reply.

NTLM authentication.

Negotiate Always Sign.

Negotiate NTLM2 Key.

Target Information block provided for use in calculation of the NTLMv2 response.

Supports 56-bit encryption.

Supports 128-bit encryption.

Challenge: 82 DD CC 46 DF 06 B4 DF

------------------------------------

No WWW-Authenticate Header is present.

 

 

So maybe you can help me understand this find :) Thanks so much eric you are a GENIUS

[EricLaw]

This means that the server offered to speak any of three protocols: NTLM, Kerberos, or Negotiate (which is just a combination of NTLM or Kerberos). The client selects one of these three (see the Proxy-Authorization request header in the top half of the Inspectors tab) in the request that it sends following the first 407 response from the proxy.

[btemtd]

If I choose the inspectors tab then click headers under cookies/login it shows the following:

 

Proxy-Authenticate: Negotiate TlRMTVNTUAACAAAACAAIADgAAAAFgomidFp4tdd8FVIAAAAAAAAAAMQAxABAAAAABgGxHQAAAA9EAEMAMAAxAAIACABEAEMAMAAxAAEAGgBBAFUAUwBOAFIAWQAtADQARgBSAE8ATgBUAAQAJABkAGMAMAAxAC4AZgB1AGoAaQB4AGUAcgBvAHgALgBuAGUAdAADAEAAYQB1AHMAbgByAHkALQA0AGYAcgBvAG4AdAAuAGQAYwAwADEALgBmAHUAagBpAHgAZQByAG8AeAAuAG4AZQB0AAUAGgBmAHUAagBpAHgAZQByAG8AeAAuAG4AZQB0AAcACABQgZzDZTbOAQAAAAA=

 

I performed a test where I was speaking to an IT worker and he thought his proxy authentication scheme was set to Basic... The funny thing is that it shows NTLM in all the places where it talks about proxy authentication. It does not show the three that shows up when I run this at my company

 

Are you saying that my company uses three different Proxy schemes? Because after research I beleive this is possible i am just not sure if  the server offered to speak to any of the three protocols does this mean they are using 3 ? Because why didnt the clients computer show the same thing it only showed NTLM.

 

One other thing with fiddler if the clients proxy is set to BASIC will it show up as BASIC or is it going to show up as some other thing? How accurate is it, should I beleive what fiddler is saying or if the client says its basic should I beleive him. Although he was not sure and surprisingly no one in the IT department new

[EricLaw]

It's simple: If you don't see BASIC in a Proxy-Authenticate header, then they do not support BASIC to authenticate to the proxy. If you don't see BASIC in a Proxy-Authorization header, then the client isn't using BASIC. If BASIC were in use, you'd see this in these headers when watching with Fiddler.

 

Virtually all proxies that are willing to support NTLM are also willing to support Kerberos and Negotiate. As a consequence, these three protocols are typically all offered at the same time. As I said before, Negotiate is just NTLM or Kerberos, so really there are only two protocols under the covers.